The job token scope is only for controlling access to private projects. If project B is public or internal, it’s not required to be added to the allowlist. To make an API request to a private project B, then B must be added to the allowlist for A. Setting at all times, and configure the allowlist for cross-project access if needed.įor example, when the setting is enabled, jobs in a pipeline in project A haveĪ CI_JOB_TOKEN scope limited to project A. It is recommended that project maintainers or owners enable this This setting is disabled by default for all new projects. Other projects can be added and removed by maintainers with access to both projects. The token scope only allows access to the same project where the token comes from. To be accessed by authenticating with the current project’s job token. By limiting the job token access scope, private data cannotīe accessed unless projects are explicitly authorized.Ĭontrol the job token access scope with an allowlist of other projects authorized If a job token is leaked it could potentially be used to access data that is private A job token might give extra permissions that aren’t necessary You can limit the access scope of a project’s CI/CD job token to increase the Enabled on and self-managed in GitLab 14.4.Deployed behind the :ci_scoped_job_token feature flag, disabled by default. You can also use the job token to authenticate and clone a repository from a private project To redesign the feature for more strategic control of the access permissions. Give extra permissions that aren’t necessary. After the job finishes, you can’tĪ job token can access a project’s resources without any configuration, but it might The token is valid only while the pipeline job runs.
A user can cause a job to run by pushing a commit, triggering a manual job,īeing the owner of a scheduled pipeline, and so on. The token has the same permissions to access the API as the user that caused the Pipeline triggers, using the token= parameter.(scoped to the job’s project, when the ci_job_token_scope feature flag is enabled). (the $CI_REGISTRY_PASSWORD is $CI_JOB_TOKEN). You can use a GitLab CI/CD job token to authenticate with specific API endpoints: When a pipeline job is about to run, GitLab generates a unique token and injects it as the Download an artifact from a different pipeline.
0 kommentar(er)
